Although the scale of fines that can be levied for breaches of the GDPR is usually the primary focus of news stories and headlines, enforcement of the Regulation is more complex than this might suggest. Understanding how the Regulation is enforced is critical to all organisations seeking to stay on the right side of the law.
The hierarchy of authorities
The Regulation refers to a number of organisations and groups with varying levels of authority in relation to enforcement. Understanding how these different groups can influence how you implement compliance will be critical to staying on the right side of the law.
The supervisory authority in your country will be your primary source of information about the state of the law where you are based, and will be primarily responsible for investigating and prosecuting breaches of the Regulation. In most countries within the EU, it should already be reasonably clear who the supervisory authority will be, as they will likely be moving their operations over from enforcing the Data Protection Directive (DPD) to enforcing the GDPR. They have probably already released a number of pieces of guidance warning organisations about the changes that are coming.
For some countries, this may be complicated by federalised structures, in which a central government authority asserts varying levels of control over regional departments. The GDPR allows for these circumstances by providing for each Member State to have one lead supervisory authority that has responsibility for ensuring coherence of regulatory activity.
Regardless of the situation, you should be able to identify your most immediate supervisory authority, which should be able to advise you on the applicability of other local laws and regulations, approved guidance, codes of conduct, and so on. If you have a DPO, you will need to identify them to the supervisory authority, as noted in Chapter 2.
Member States have some leeway in terms of how the Regulation is implemented. While the Regulation is a law in itself, Member States are specifically called on to set standards and further restrict conditions in a number of situations. In many cases, the Member State’s case law may influence how the Regulation is applied, or the context in which the Regulation is managed.
The European Data Protection Board is established in Article 68 of the Regulation as a central body composed of representatives from each Member State’s supervisory authority. The Board’s duty is to ensure that the Regulation is applied consistently across the Union, and to advise the Commission on issues relating to the Regulation. The Board will coordinate the selection and development of codes of conduct and certification mechanisms, guidelines, recommendations and best practices.
The highest authority of the GDPR is the European Commission itself. The Commission is the executive body of the EU, and is responsible for a great deal of the day-to-day rule of the EU, much like the cabinet in an ordinary democracy. The Commission may make executive decisions on topics such as awarding third countries an adequacy decision. In the course of complying with the GDPR, it is extraordinarily unlikely that any organisation will need to deal directly with the Commission.
The “one-stop-shop mechanism” referred to by the Regulation denotes a mechanism that ensures an organisation under investigation is only examined once. The Regulation states that “the lead supervisory authority should decide, whether it will handle the case pursuant to the provision on cooperation between the lead supervisory authority and the other supervisory authorities concerned (‘one-stop-shop mechanism’), or whether the supervisory authority which informed it should handle the case at local level”226.
By limiting investigations to a single supervisory authority, the Regulation achieves the following objectives:
- Organisations do not have to submit to multiple investigations for the same case.
- Because this applies when organisations exist in multiple jurisdictions, it may remove the potential difficulties of being investigated in each country individually.
This mechanism does not apply in the case of processing carried out by public authorities or private bodies in the public interest. In such cases, the investigation should always be by the supervisory authority of the Member State where a public authority or private body is established.
Duties of supervisory authorities
Supervisory authorities have a wide range of duties that are supported by a number of powers. In addition to monitoring and enforcing compliance, supervisory authorities are required to take the role of public educator. In particular, the GDPR requires them to “promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing”227. This is an important duty because an educated public will be more likely to spot abuses or poor practices and pass on their suspicions or concerns to the supervisory authority.
This role as an educator is not limited to the public. Supervisory authorities are also required to promote awareness of the Regulation among controllers, processors and governments to ensure that the business and regulatory environment supports a best-practice approach to privacy and data protection.
The supervisory authority must also provide all relevant information an organisation might need in order to comply with the Regulation. This will include guidance relating to binding corporate rules, standard contractual clauses, codes of conduct, the selection and accreditation of certification bodies, and so on. The supervisory authority should be your first consideration for obtaining guidance or ascertaining whether there is an approved methodology in existence.
Powers of supervisory authorities
The supervisory authority’s powers fall into three categories: investigative, corrective, and authorisation and advisory.
Investigative powers enable the supervisory authority to gather appropriate information or evidence, including extensive rights to access personal data and to gain access to controllers’ and processors’ premises.
Corrective powers allow the supervisory authority to escalate the level of interaction with a controller or processor if the supervisory authority finds them to be in breach of the Regulation. These corrective powers range from issuing warnings that “intended processing operations are likely to infringe provisions of [the] Regulation” to imposing administrative fines and ordering the suspension of data flows to a recipient in a third country or international organisation228.
Authorisation and advisory powers enable the supervisory authority to develop and promote standards, codes of practice, certification mechanisms, and so on. This essentially ensures that all Member States have an authority that can establish standards that are consistent with the other powers.
Duties and powers of the European Data Protection Board
The European Data Protection Board also has a number of duties and associated powers, and is generally responsible for making sure that the Regulation is applied consistently across the EU. Because the Board comprises one member from each of the EU’s Member States, as well as a representative appointed by the Commission, it is an excellent venue for discussing how the Regulation is applied across differing legal jurisdictions.
Like supervisory authorities, the Board is also able to develop and promote codes of practice and certification mechanisms. Unlike those developed and promoted by the supervisory authorities, these will be more universally applicable, as the Board is responsible for the Regulation across the whole EU and not just in a single country.
Furthermore, because the Board reports directly to the Commission and its decisions are based on experiences from across the Union, they will have greater impact on data protection and how the Regulation evolves. Keeping track of the Board reports can provide insights into future requirements and changes. The Board produces an annual, public report on “the protection of natural persons with regard to processing in the Union and, where relevant, in third countries and international organisation”229. This report will be a good source of information if your organisation is heavily reliant on processing that may be risky under the Regulation.
Data subjects’ rights to redress
Data subjects have a number of rights that relate specifically to how they can seek remedy and/or judicial redress for breaches of the Regulation230:
- Right to lodge a complaint with a supervisory authority. Data subjects have the right to complain to a relevant supervisory authority if they believe that processing of their personal data infringes the Regulation.
- Right to an effective judicial remedy against a supervisory authority. Data subjects are permitted to seek a judicial review of any decisions about them that have been made by a supervisory authority.
- Right to an effective judicial remedy against a controller or processor. Data subjects have the right to seek judicial remedy against a controller or processor if they consider their rights to have been infringed as a result of processing of their personal data in non-compliance with the Regulation.
- Right to representation. Data subjects can be represented by a non-profit organisation to lodge complaints and seek compensation on their behalf.
- Right to compensation and liability. Anyone who has suffered damage as a result of an infringement of the Regulation has the right to seek compensation from the controller or processor. Note that this person does not need to be the data subject in order to suffer damage and seek compensation.
These rights are in addition to the supervisory authorities’ rights to investigate controllers and processors, and in some cases may result in different judgements. For instance, the supervisory authority may find a controller to have operated in compliance with the Regulation, but when the data subject seeks a review, the court may find against the controller and award compensation. This would only be possible if the supervisory authority had elected not to take the matter to trial, as the Regulation does abide by the principle of ne bis in idem231, which means that a controller or processor cannot be tried in court for the same offence twice.
Administrative fines regularly feature in headlines about the GDPR. It’s true that they’re much larger than previously permitted under law, which is to be expected as part of making the punishment effective. As the Regulation states, these fines “shall in each individual case be effective, proportionate and dissuasive”232.
For many organisations, administrative fines will be significant enough to make compliance economically sensible. That is, the return on investment will suddenly seem quite reasonable. If it costs €20,000 to mitigate a severe vulnerability, the potential annualised fines of €100,000 for not mitigating said vulnerability make a one-off cost of €20,000 positively enticing.
Furthermore, administrative fines can be imposed on top of other measures permitted as part of the supervisory authorities’ corrective powers.
The Regulation states that certain conditions should be taken into account when deciding the amount of each administrative fine233. These conditions highlight the importance of specific factors in complying with the GDPR:
(a) The nature, gravity and duration of the infringement, including consideration of the processing concerned, the number of data subjects affected, and level of damage they have suffered.
(c) Actions the controller or processor takes to mitigate damage to data subjects.
(d) Responsibility of the controller or processor, considering any technical and organisational measures that had been implemented.
(e) Previous infringements by the controller or processor.
(f) How well the controller or processor cooperates with the supervisory authority to remedy the infringement and mitigate negative effects.
(g) Categories of data affected.
(h) How the supervisory authority became aware of the infringement.
(i) Whether the supervisory authority had already ordered corrective measures against the controller or processor for the same subject matter.
(j) Whether the controller or processor adheres to approved codes of conduct or certification mechanisms.
(k) Other aggravating or mitigating factors relevant to the case.
There are really two categories of conditions for imposing administrative fines: those that reflect your willingness to abide by the Regulation, and those that reflect either negligence or a desire to circumvent, avoid or breach the requirements. To minimise any administrative fines that you might be subject to, as soon as you identify a personal data breach or significant infringement of the Regulation, you should234:
- take immediate action to mitigate damage;
- notify the supervisory authority at the earliest opportunity where relevant;
- cooperate with the supervisory authority in managing the incident and minimising damage to data subjects, and;
- prepare evidence to demonstrate that you comply with the Regulation, including approved codes of conduct and/or certification mechanisms.
There are two levels of administrative fine that can be levied against organisations that breach the Regulation. The lower level of fine can be up to €10 million or, in the case of an undertaking, up to 2% of the total worldwide annual turnover (not profits) of the preceding financial year, whichever is the greater. The higher level can be up to €20 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover (not profits) of the preceding financial year, whichever is the greater.
The fines themselves are based on the specific articles of the Regulation that the controller or processor has breached235. Breaches of the controller’s or processor’s obligations will be subject to the lower level, while breaches of the data subject’s rights and freedoms, including consent and international transfer of personal data, will be subject to the higher level.
Some supervisory authorities have already issued rulings on what they consider to be an “undertaking” and how they will calculate fines. In Germany, the Bavarian Data Protection Authority (Bayerisches Landesamt für Datenschutsaufsicht – BayLDA) has clarified that “when administering fines, it is the whole entity, not just an individual company in a group that is being penalised. Therefore, the fine is calculated as a percentage of the annual turnover of the entire group”236.
The Regulation’s impact on other laws
The most obvious impact on prior legislation is that when it comes into force in May 2018, the GDPR will repeal the 1995 Data Protection Directive (DPD). From that date, “references to the repealed Directive shall be construed as references to this Regulation”237.
This also means that the Regulation supersedes all of the laws that were enacted across the EU in order to comply with the DPD. It should be noted that some Member States elected to update a broader law in order to comply with the DPD, and those sections of the law that are unrelated to data protection and privacy should remain unaffected.
In relation to the E-Privacy Directive (also called the “Cookies Law”), the Regulation specifies that it does not “impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services”238. That is, the Regulation should not make the process of agreeing to cookies even more onerous. The Cookies Law has been contentious throughout the EU, with many organisations claiming that it unnecessarily bothers both the users and the organisations forced to comply with it. As such, many enforcement bodies – including the UK’s Information Commissioner’s Office – refuse to enforce that aspect of the Directive.
226 GDPR, Recital 127.
227 GDPR, Article 57, Clause 1 b.
228 GDPR, Article 58, Clause 2.
229 GDPR, Article 71, Clause 1.
230 GDPR, Articles 77-82.
231 GDPR, Recital 149.
232 GDPR, Article 83, Clause 1.
233 GDPR, Article 83, Clause 2.
234 Minor infringements should be managed relatively simply through corrective action and continual improvement processes as part of your privacy compliance framework.
235 GDPR, Article 83, Clauses 4 and 5.
237 GDPR, Article 94, Clause 2.
238 GDPR, Article 95.
239 GDPR, Recital 30.