GDPR Fine Calculation: Comparing the EDPB and ICO's Draft Guidelines

Written By

dan fara Module
Dan Fara

Associate
UK

I am an associate in the Privacy and Data Protection Group in London, specialising in the intricacies of data protection, AI, cybersecurity and e-Privacy legislation. I have extensive experience advising clients across diverse sectors—including healthcare, retail, technology, and telecommunications — I provide expert guidance on compliance with data protection, AI, cybersecurity and e-Privacy legislation.

james moss Module
James Moss

Partner
UK

I am a partner in Bird & Bird's London-based international Privacy & Data Protection practice. My background with the UK Information Commissioner's Office combined with experience as a regulatory law specialist in private practice gives me unrivalled insight into contentious data protection work and enforcement action.

In one of our previous articles from July 2023, we looked at the European Data Protection Board’s (“EDPB”) then recently published guidelines on the calculation of fines (“EDPB Guidelines”) and raised a question of what is next for the UK, as this had created a disparity between guidance available at an EU level and that available in the UK. As we noted under section 160 of the Data Protection Act 2018, the Information Commissioner's Office (”ICO”) must issue guidance on how they will calculate penalties and once issued they are bound to follow it or risk procedural challenges before the Tribunal or by way of Judicial Review. On 2 October 2023 the ICO opened a consultation on its draft guidelines (“ICO Draft Guidelines”). Looking at the level of detail and practical guidance set out in the ICO Draft Guidelines, it is clear that the ICO has (i) sought to align with certain elements of the EDPB Guidelines; and (ii) considered previous feedback and criticism from its previous consultations.

Alignment with the EDPB Guidelines

The UK GDPR is still aligned with the EU GDPR post-Brexit, so the maximum amount of fines (Article 83 UK GDPR and section 157 Data Protection Act 2018 (“DPA 2018”)), the factors that must be considered when determining whether to issue a penalty notice and the amount of the fine (Articles 83(1) and (2) UK GDPR (for processing that falls under the UK GDPR) or section 155(3) DPA 2018 (for processing that falls under Part 3 or Part 4 DPA 2018 or a failure to comply with an information notice, assessment notice or enforcement notice)), the position on the concept of an ‘undertaking’, plurality of actions, are all similar to those set out under the EDPB’s guidelines.

One point to note is that the ICO flagged that it does not consider itself bound by its previous decisions, but that it will ensure there is broad consistency in the approach taken when assessing whether issuing a penalty notice is appropriate. This may be explained by a desire to protect previous penalties issued under the existing penalty framework from retrospective criticism where they appear more severe than would have been the case under any new guidance.

We now consider a few sections which appear to be of particular interest.

Gravity of Infringement. Similarly to EDPB Guidelines, the ICO Draft Guidelines set out that when assessing the gravity of the infringement, the ICO will consider the nature, scope and purpose of the processing, as well as the number of data subjects affected and the level of damage suffered by data subjects affected by the processing. In terms of nature of processing, the ICO notes that it may give more weight to various factors if the nature of the processing is likely to result in high risk to data subjects, taking into account the Commissioner’s published guidance. The ICO provides examples of “high risk” processing operations:

  • the application of new or innovative technology;
  • automated decision-making;
  • the use of biometric or genetic data;
  • monitoring or tracking; or
  • invisible processing.

The ICO Draft Guidelines also note that the Commissioner may also give more weight to this factor where (i) there is a clear imbalance of power between the data subjects and the controller; (ii) the processing involves children’s personal data; or (iii) the processing involves personal data of other vulnerable people who need extra support to protect themselves. Whilst not necessarily intended to set out enforcement priorities, the factors listed are a useful insight into areas that the ICO considers most serious and therefore, by extension, areas where they would be most likely to consider it appropriate to take action.

Level of damage suffered. Notably, the ICO Draft Guidelines sets out examples of actual or potential harm to data subjects as being physical or bodily harm, physiological harm, economic or financial harm, discrimination, reputational harm or loss of human dignity; and that in carrying out the assessment of the level of damage, the ICO will take into account the fact that (i) some harms are more readily identifiable (for example, financial loss or identity theft) whereas some others are less tangible (for example, distress and anxiety or loss of control over personal data); and where an infringement affects a large number of data subjects, it may result in a high degree of damage in aggregate and give rise to wider harm to society, even if the impact on each person affected is more limited.

Also, it is important to highlight that the ICO Draft Guidelines note that the level of damage suffered by data subjects will be limited to what is necessary to evaluate the seriousness of the infringement and that “Typically, it would not involve quantifying the harm, either in aggregate or suffered by specific people. It is also without prejudice to any decisions a UK court may make about awarding compensation for damage suffered.”

Intentional or negligent character of the infringement

The ICO Draft Guidelines provide helpful examples of circumstances the ICO considers may indicate an intentional infringement, notably where (i) senior management authorised the unlawful processing; or (ii) a controller or processor carried out the processing despite advice about the risks involved or with disregard for its existing internal policies.

Examples of relevant evidence taken into account by the ICO when assessing negligence include:

  • failing to adopt policies aimed at ensuring compliance with data protection law;
  • failing to read and abide by its existing data protection policies;
  • infringing UK GDPR or DPA 2018 through human error, particularly where the person (or
    people) involved had not received adequate training on data protection risks;
  • failing to check for personal data in information that is published or otherwise disclosed; or
  • failing to apply technical updates in a timely manner.

Categories of personal data affected by the infringement

When assessing seriousness, the ICO Draft Guidelines note the following types of data that are likely to cause damage or distress to data subjects: location data, private communications (particularly those involving intimate details or confidential information about the data subject), passport or driving licence details or financial data.

Calculation of the appropriate fine

The ICO Draft Guidelines set out a similar five step approach to the EDPB Guidelines, as well as similar starting amounts for a fine, after considering the seriousness of the infringement. Namely, for the most serious infringements a starting point between 20-100% of the legal maximum; for offences with a medium degree of seriousness between 10-20%; and for infringements that have a low degree of seriousness, between 0-10%. The ICO notes that there is no pre-set “tariff” of the starting points for different types of infringement, and that the approach to seriousness will take into account (i) the nature, gravity and duration of the infringement; (ii) whether it was intentional or negligent; and (iii) the categories of personal data affected.

Conclusions and next steps

The proposed guidance has been a long time coming, with previous consultations taking place over previous years and the requirement for detailed guidance in this area arguably stretching back to the introduction of the GDPR in 2018. In fairness however the EDPB have taken a similar amount of time to develop their own guidance which indicates how difficult it is to reach a position that provides an appropriate level of legal certainty, whilst allowing sufficient flexibility to adequately deal with all potential circumstances. What the proposed guidance does indicate is a desire to not radically depart from the European approach without good reason. The EDPB guidance is a well reasoned and developed process and it is unsurprising that the ICO would adopt a process which is similar in many respects. As to the specific approach the ICO is likely to take in future enforcement action, there are, as noted above, some interesting indications of the areas that the regulator consider the most serious. Combined with the way that penalties are minimised for low level matters and smaller entities and maximised at the top end of the scale our reading would be that in future significant penalties are more likely to be reserved for the most serious breaches. That in turn means such cases will attract significant push back and legal challenge which makes following the guidance which is eventually implemented closely and accurately vitally important. The ICO has of late been relatively quiet in pursuing significant enforcement action; one wonders whether the lack of a finalised penalty setting guidance document is a factor in that situation which will change once the guidance is finalised and adopted.

First published on the IAPP website.

Latest insights

More Insights
Curiosity line teal background

A Deep Dive into China’s Network ID Proposal

Nov 06 2024

Read More
mountain scape

European Union Artificial Intelligence Act Guide

Nov 06 2024

Read More
security camera

UK Data Reform: What’s Proposed

Nov 05 2024

Read More