This article is written by Shubhang Gupta, pursuing a Diploma in Cyber Law, Fintech Regulations and Technology Contracts from Lawsikho.com. Here he discusses “Penalties under the General Data Protection Regulations (GDPR)”.

Table of Contents

Toggle

What is General Data Protection Regulations?

General Data Protection Regulations are guidelines, which are enacted to protect the personal data of persons (whether natural or artificial) located in the European countries. These regulations are implemented by the European Union, which came effect from 25^th May 2018. These regulations consist of different components like: duties of controller and processors, the establishment of superior authority, fines and Penalties etc. This Regulation is enforced to curb the hands of big corporations, who were putting on the private rights of the people. These regulations had put a strong impact on the collection of personal data been collected by these big Corporations. This data are put to use by this corporation to manipulate the people’s decision and psychological thinking. This resulted in grave destruction to mankind, so it becomes most important to come up with a strict law regulating the functioning of such big Corporations. These regulations also include penalty and fines as its core element. This allows the EU to impose a heavy fine upon any party violating the terms of the regulations. This is the first and major step taken against the protection of personal data. This law had a long way to go in terms of its acceptability and practicality by the big market forces.

Provisions relating to the penalty under the GDPR

It is one of the most important and required provisions to achieve the aim laid down under the regulations. There can be a no real implementation of any law without having strong sanctity by the law in terms of penalty and fine. Heavy penalty and fine under this regulation could be the prime factor of its acceptability by the companies, enterprises etc., whether small or big. No company could ignore its responsibility and liability mentioned under the provisions of this regulation. Article 83 and 84 of the regulation deals in a comprehensive way with all fines and penalties stated under the regulations. Any person or establishment who has infringed any provision of regulation, is liable under these articles for penalties and fines etc. Since the applicability of the regulations, the union had imposed heavy fines on various enterprises and big corporations which show the strict compliance of these regulations by the union. These regulations had become a major barrier to big corporations like Google, Facebook etc. after implementation of these regulations, the revenue of these big companies had significantly reduced. Now data subjects enjoy more rights than ever before.    

Penalties for infringements under GDPR

Infringement of the European Union‘s GDPR can result in administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater.

Not all General Data Protection Regulations infringements lead to fines. Supervisory authorities established under the regulation such as the ICO (Information Commissioner’s Office) have the scope to take a range of other following actions, such as:

• Issuing warnings and reprimands to the enterprises and companies, as the case may be;
• Imposing a temporary or permanent ban on data processing by any doubtful enterprise or company, as the case may be;
• Ordering the rectification, restriction or erasure of data; and
• Suspending data transfers to third countries, not in compliance with the regulations.

What is the maximum administrative fine under the GDPR?

There are two categories of administrative fines that can be levied as penalties for the General Data Protection Regulation’s non-compliance:

1. Up to €10 million, or 2% annual global turnover – whichever is greater; or
2. Up to €20 million, or 4% annual global turnover – whichever is greater.

Fines are discretionary in nature rather than mandatory. They must be imposed upon the case-by-case basis and every material fact should be taken into consideration. The whole process should be “effective, proportionate and dissuasive”.

The fines are based on the specific articles of the Regulation that the organisation has breached. Data controllers and processors face administrative fines of:

• Up to €10 million or 2% of annual global turnover for infringements of below-mentioned articles as follows:

1. Article 8 (conditions for children’s consent) under this Article, it is necessary to take consent of the data subjects in case he/she is above 16 years old whereas if he/she is minor, then from his/her guardian who had authority to do so;
2. Article 11 (processing that doesn’t require identification) this Article states that, if there is no need or purpose to collect, acquire etc or which do not require identification of the data subjects for the purpose of the controller, the controller shall not be obliged to retain such data under the regulation;
3. Articles 25–39 (general obligations of processors and controllers) these Articles deals with the obligations which must be performed by the data controller and processor under the regulations;
4. Article 42 (certification) this article deals with the certification of a system used by the data Processor and data Collector for processing of data. Under this Article, some bodies like the supervisory authorities, the board and the commission encourage the establishment of data protection certification mechanism to demonstrate that the system been used by the Data Controller and processor are in compliance with the regulation; and
5. Article 43 (certification bodies) this article deals with the characteristics required in the certification bodies established under Article 42 of the regulation.

• Up to €20 million or 4% of annual global turnover for infringements of below mentioned articles which are as follows:

1. Article 5 (data processing principles) this article deals with the basic principles required during the data processing by the data controller or data processor. This is one of the most important articles, in accordance with these principles mentioned under the article, the superior authorities or other bodies can judge the reasonability of processing of data carried out by the data processor and controller;
2. Article 6 (lawful bases for processing) this article states the conditions which are required to declare data processing lawful. This article contains 6 conditions, at least one of the conditions must be applied by the data processor or data collector;
3. Article 7 (conditions for consent) this article state the conditions required to be followed, when the data collector will be taking the consent from the data subjects. If there is no fair means used while taking consent from the data subject such collection of data will be unlawful data;
4. Article 9 (processing of special categories of data) this article mentions the special type of data, whose processing is prohibited under the regulations;
5. Articles 12–22 (data subjects’ rights) these articles deal with the data subject’s rights such as the right of access, right to data portability, right to erasure, right to restriction of processing, right to object etc; and
6. Articles 44–49 (data transfers to third countries) this article deals with the transfer of data to third world countries. Regulation prohibits the transfer of data to any country, which is not included in the list of the third country and which could not ensure data protection on their territory. These articles also mention some preventive safeguards which have to be adopted while transferring data to the third world countries.

General Data Protection Regulations fines imposed till date

According to the European Data Protection Board, 206,326 cases were reported by Supervisory authorities in the first nine months of the General Data Protection Regulation’s enforcement. Out of these cases, 94,622 were related to complaints and 64,684 were related to data breach notifications by data controllers in the union. In the same period, supervisory authorities in 11 EEA countries issued administrative fines totalling to €55,955,871. The vast majority of that total is the €50 million fine France’s CNIL issued to Google in January 2019.

Other notable GDPR enforcement action:

• The ICO took its first action under the GDPR on 6 July 2018, when it issued an enforcement notice to Aggregate IQ Data Services Ltd as part of its investigation into the Cambridge Analytical/ Facebook /Vote Leave scandal.
• In March 2019, the UODO, the Polish Personal Data Protection Office, announced its first fine under the GDPR. An unnamed organisation was fined more than PLN 943,000 (approximately £193,500) for failing to inform more than 6 million data subjects that their personal data was being processed, thereby preventing them from exercising their rights.

How are GDPR fines applied?

While deciding whether to impose an administrative fine and to what level, supervisory authorities under the regulations should consider a range of factors which are as follows:

• The nature, severity and duration of the infringement.
• Whether the infringement was caused intentionally or by negligence.
• Any action was taken by the organisation to mitigate the damage suffered by individuals.
• Technical and organisational measures that have been implemented by the organisation.
• Any previous infringements by the organisation or data processor.
• The degree of cooperation with the regulator to remedy the infringement.
• The types of personal data involved.
• Adherence to approved codes of conduct or certification schemes.

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.