GDPR fine calculation: A look at the EDPB's new guidelines and the UK's approach

Written By

dan fara Module
Dan Fara

Associate
UK

I am an associate in the Privacy and Data Protection Group in London, specialising in the intricacies of data protection, AI, cybersecurity and e-Privacy legislation. I have extensive experience advising clients across diverse sectors—including healthcare, retail, technology, and telecommunications — I provide expert guidance on compliance with data protection, AI, cybersecurity and e-Privacy legislation.

james moss Module
James Moss

Partner
UK

I am a partner in Bird & Bird's London-based international Privacy & Data Protection practice. My background with the UK Information Commissioner's Office combined with experience as a regulatory law specialist in private practice gives me unrivalled insight into contentious data protection work and enforcement action.

Introduction

The General Data Protection Regulation (“GDPR”), which came into effect pre-Brexit in May 2018, introduced a consistent framework across the European Union of fines as a means of enforcing compliance with data protection regulations. The increase of powers did however vary between jurisdictions depending on whether or not the relevant Data Protection Authority had such powers under pre-existing legislation. For example in the UK the Data Protection Act 1998 allowed for a maximum fine for non-compliance of £500,000 and in Spain, for a maximum fine of €600.000 whereas comparable regulators in Poland and Belgium had no such fining powers. Some five years later the European Data Protection Board (“EDPB”) has recently released new guidelines on the calculation of administrative fines under the GDPR on 24 May 2023 (the “New Guidelines”). These New Guidelines aim to provide clarity and consistency in the calculation of fines across all EU member states, and in the EDPB's own words, they

"aim to harmonise the methodology data protection authorities (“DPAs”) use to calculate fines and include harmonised ‘starting points’".

It is noted that the New Guidelines are intended to work simultaneously with the previous adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253).

In this article we will provide a brief overview of what the New Guidelines cover and compare these to the UK Information Commissioner's Office (“ICO”)'s position and guidance on the calculation of administrative fines.

The GDPR's Introduction of Fines

The GDPR's introduction of fines in May 2018 was a significant development in the world of data protection regulation. As part of the GDPR, fines can be imposed on organisations for various violations of the GDPR. The first category of infringements is punishable by a maximum fine of €10 million or 2% of the undertaking’s annual turnover, whichever is higher, whereas the second is punishable by a maximum fine of €20 million or 4% of the undertaking’s annual turnover, whichever is higher.
The introduction of fines under the GDPR was aimed at ensuring that organisations take data protection seriously. The threat of significant financial penalties for non-compliance was intended to encourage organisations to implement appropriate measures to protect individual’s personal data, and in some cases, it was the threat of such penalties that incentivised the adoption of comprehensive data protection compliance programmes.

As is often seen with the introduction of regulatory legislation that provides the ability to impose significant financial penalties the development and implementation of such fines follows a three-step process:

  1. an initial period of concern and discussion amongst lawyers and compliance professionals, which drives compliance programmes and the implementation of policies and procedures prior to the introduction of relevant laws;
  2. a perceived ‘lag’ in enforcement activity immediately following implementation;
  3. a slow but steady uptake by regulatory authorities leading to an increase in both volume and quantum of penalties.

Some five years on from the implementation of GDPR we are firmly into the third stage of that process, with DPAs across Europe imposing fines with ever increasing confidence and in turn companies subject to such fines and their advisors developing strategies to push back against them. As the quantum of fines continue to increase the economic drivers which persuade businesses to invest greater resources in opposing such fines increase in tandem. This in turn drives the development of caselaw and authorities regarding the way in which such fines should properly be calculated and imposed. It is against that background that the New Guidelines come into play.

It is also worthy of note that one would have ideally expected guidance on how such fines should best be calculated to have been introduced in 2018 when the power to impose such fines first came into effect. The fact that the EDPB have taken some five years to develop, consult upon and publish their guidance is a clear indication of how tricky developing an approach which functions fairly and consistently across multiple jurisdictions and legal systems actually is.

The EDPB's New Guidelines

The New Guidelines provide much needed clarity and consistency in the enforcement of the GDPR. They aim to ensure that fines are applied consistently across all EU member states and that organisations are treated fairly. They do however leave the calculation of the amount of the fine at the discretion of the supervisory authority, recognising that the guidance need not be so specific as to allow a controller or processor to make a precise mathematical calculation of the expected fine. The EDPB envisages harmonisation on the starting points and methodology used to calculate a fine, rather than harmonisation of outcomes.

Subject to the rules provided by the GDPR, namely that the amount of the fine shall in each individual case be effective, proportionate, and dissuasive (Art. 83(1) GDPR) as well as that in setting the amount of the fine, supervisory authorities shall give due regard to the seriousness of the infringement and character of the perpetrator (Art. 83(2) GDPR), the New Guidelines provide a five-step approach for calculating fines. Supervisory authorities are not obliged to follow all steps if they are not applicable in any given case, nor to provide reasoning around aspects of the New Guidelines that are not applicable; and they remain free to apply a methodology similar to the one described under the proposed five steps.

Step 1 involves identifying the processing operations in the case and evaluating the application of Article 83(3) GDPR to establish which is deemed to be the gravest infringement. This step requires the supervisory authority to determine which specific processing operation has led to the infringement and to assess any concurrence of offences, unity of action or plurality of actions. It is noted that these different categories of concurrences should not conflict with each other but have different scopes of application and fit into place in a coherent overall system.

Step 2 involves finding the starting point for further calculation based on an evaluation of:

(i) the classification within Article 83(4)-(6) GDPR;
(ii) the seriousness of the infringement pursuant to Article 83(2)(a), (b) and (g) GDPR; and
(iii) the turnover of the undertaking as one relevant element to take into consideration with a view to imposing an effective, dissuasive, and proportionate fine, pursuant to Article 83(1) GDPR.

After assessing the seriousness of the infringement as a whole, the infringement would be considered:
(i) low – where the starting amount for further calculation is at a point between 0 and 10% of the applicable legal maximum;
(ii) medium – between 10-20% of the applicable legal maximum; and
(iii) high level of seriousness – between 20-100% of the applicable legal maximum.

The New Guidelines also provide guidance on starting amounts that take into account the turnover of an undertaking – adjustments are considered, for example, for micro, small and medium sized enterprises; it is noted as a general rule that the higher the turnover of the undertaking within its applicable tier, the higher the starting amount is likely to be.

Step 3 involves assessing the controller/processor's past or present behaviour and adjusting the fine accordingly. Each criterion of Article 83(2) GDPR should only be taken into account once. Intentional infringement, previous infringements, failure to cooperate with supervisory authorities, and failure to mitigate damage suffered by data subjects are examples of aggravating factors. Examples of mitigating factors include taking corrective action, cooperating with supervisory authorities, and demonstrating a low level of culpability. The absence of previous infringements is not a mitigating factor as compliance with the GDPR is expected to be the norm. The manner in which the infringement became known, and any financial benefits gained, or losses avoided are also factors to consider.

Step 4 involves identifying the relevant legal maxima for the different processing operations. This step requires the EDPB to consider the maximum amount of administrative fines that can be imposed for the specific type of infringement, as set out in Article 83(4)-(6) GDPR.

Step 5 involves analysing whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness, and proportionality, as required by Article 83(1) GDPR, and increasing or decreasing the fine accordingly.

The New Guidelines may result in higher fines for organisations. The base amounts for violations are generally higher, and the adjustments for aggravating or mitigating factors may significantly increase fines across the EU. There is a general trend of 'penalty inflation' over time, which creates a greater body of authority for regulators to benchmark scenarios and corresponding penalties. While the EDPB's guidelines are not legally binding, they are persuasive and likely to be influential in the application of fines across the EU. Organisations should take them into account when assessing their GDPR compliance and the consequences of non-compliance.

The UK ICO's Guidance on Administrative Fines

The UK ICO's currently applicable position on fines is outlined in its Regulatory Action Policy (‘RAP’). Some indication as to their developing thinking on the subject can also be found in the previously published draft Statutory Guidance on Regulatory Action (‘SGRA’). The RAP sets out that fines are to be used as a last resort and that the ICO will first try to work with organisations to achieve compliance. The RAP is a short document somewhat lacking in detail in respect of the methodology for the calculation of fines. By contrast the draft SGRA sets out in much greater detail the factors that should be considered when determining the amount of a fine, such as the severity of the breach and the organization's cooperation with the ICO, similarly to the New Guidelines. The SGRA has however yet to be finally adopted meaning that the ICO still operates with the older, shorter RAP as its current process. A timeline on the ICO’s published materials and consultations is set out below:

  • July 2018: The ICO published its Regulatory Action Policy, outlining its approach to enforcing the GDPR and the use of administrative fines.
  • October/November 2020: The ICO ran a consultation on the SGRA, which was not adopted. It was noted that it would “publish this guidance after the UK has left the EU and [it has] therefore drafted it accordingly”.
  • March 2022: ICO ran another consultation on (i) the draft Regulatory Action Policy; (ii) statutory guidance on our regulatory action; and (iii) statutory guidance on the ICO’s PECR powers. This consultation considered an updated version of the SGRA, which was dated 2021, which has not to date been adopted.

As part of the summary of responses from the statutory guidance public consultation from October 2020, the ICO flagged the following feedback in particular:

  • Some respondents expressed the view that the draft SGRA took a high-level and strategic approach, with not enough detail, making it difficult to understand what would guide the ICO's regulatory decision making in practice. More clarity and further explanations as well as “real life” examples were suggested.
  • It was also noted that "this could leave the average person not much clearer about when it will act. There was a related call for the Statutory Guidance to be less vague and more definite, rather than sometimes making some general statements about what the ICO may or may not do".
  • The relationship between the RAP and SGRA was also a key theme that emerged, with some feeling that it would have been more beneficial for both sets of documents to have been consulted on at the same time.

Given the level of detail in the New Guidelines and considering that the ICO’s only current adopted guidance is the RAP, there is now a significant disparity between the EU and UK position in respect of applicable guidance on the calculation of financial penalties.

What’s next for the UK?

As set out above the UK position on how fines should be calculated lags behind the current European guidance. Whilst in the post-Brexit landscape the UK is not constrained to follow EDPB guidance, nor to engage in the Article 60 consistency mechanism there remains a striking disparity between the level of detail set out in the New Guidelines as set against the ICO’s current model.

The ICO might seek to adopt some aspects of the New Guidelines as being helpful in reaching an effective proportionate and dissuasive amount in any particular case. However, at present they remain constrained to follow their existing process given that the principles of public law require them as a UK regulator to follow their own published and consulted upon policy absent good reason to depart from it in any particular case. It is of note also that whilst in some circumstances public authorities have at their discretion whether or not to issue a policy on any particular matter, section 160 of the Data Protection Act 2018 specifically obliges the ICO to issue guidance about how they propose to exercise their functions, inter alia, in connection with penalty notices which must include an explanation of how the Commissioner will determine the amount of such penalties. In short, the ICO must issue guidance on how they will calculate penalties and once issued they are bound to follow it or risk procedural challenges before the Tribunal or by way of Judicial Review.

As to where the ICO may go next, their previous consultations suggest that they have considered expanding upon the existing framework but have yet to finally decide how best to do so. Now that the New Guidelines are in place, they may decide to issue new guidance which follows closely the EDPB position or something which diverges from it to a greater or lesser extent as a way of asserting their independence post-Brexit. Either way this is a matter which will merit being closely followed. The question of how exactly penalties are arrived at and whether the applicable policies to do so have been accurately adhered to will be an issue of considerable importance to organisations who face being made subject to such penalties.

Latest insights

More Insights
featured image

EDPB weighs in on key questions on personal data in AI models

1 minute Dec 20 2024

Read More
Curiosity line green background

Australia’s first standalone cyber security law – the Cyber Security Act 2024

Dec 18 2024

Read More
Curiosity line yellow background

The New Cybersecurity Dawn – Hong Kong readies for new critical infrastructure legislation

7 minutes Dec 10 2024

Read More