Higher GDPR fines to be expected in Germany – Data protection authorities publish new concept for the calculation of fines

In the past, German authorities have been reluctant to impose fines for breaches of data protection laws largely adhering to the principle "cooperation before punishment". The authorities’ intention was to instruct companies to follow the provisions of the GDPR and to introduce processes that are compliant with the law on their own initiative, instead of simply reacting to the risk of being fined. Other EU countries have already made extensive use of the possible fines. In 2019, the British data protection authority ICO imposed fines as high as EUR 200 million on British Airways and EUR 100 million on the Marriott hotel group. Even before that, the French supervisory authority fined Google for EUR 50 million. The new fine model will converge the German practice with the one in France and Great Britain and will therefore lead to significantly higher fines. Announcements from Berlin concerning the fines on Delivery Hero (of approx. 200,000.00 €) as well as on Deutsche Wohnen amounting to EUR 14.5 million should only mark the beginning of this new development.

The new concept is supposed to provide the data protection supervisory authorities with a uniform method that allows for a systematic, transparent and comprehensible calculation of fines. The resulting higher fines are meant to have a deterrent effect and to ensure that data protection laws are observed. From now on, the new calculation basis will be binding for all German data protection supervisory authorities. Nevertheless, the model is not binding for the European courts or authorities. Yet, it is possible that the German model will establish itself - at least in part – as a standard even at the European level. This is due to the fact that the European Data Protection Board (EDPB) is still to determine a standard calculation model or to introduce a calculation model of its own. The German Data Protection Conference already announced that such a European model would replace the current German concept once it enters into force.

The new calculation model

The new calculation model  is essentially based on the provisions of Art. 83 GDPR and is divided into five steps:

1. First, the company in question is assigned to a category which is defined by the company’s worldwide annual turnover in the previous business year.
2. Then, the average annual turnover of the respective sub-group (microenterprises, small and medium-sized enterprises or large enterprises) in which the enterprise is classified is determined.
3. Based on that number the basic economic value is determined: the authorities calculate a so-called "daily rate" by dividing the company’s average annual turnover in the previous year by 360.
4. Subsequently, the violation is categorized according to its degree of severity regarding the individual case and multiplied by a corresponding factor.
5. Finally, the calculated fine is adjusted on the basis of all other circumstances of the individual case which have not yet been taken into account. In this step, all positive and negative circumstances are taken into consideration.

Implications of the new calculation concept

The new calculation model has already been tested by single authorities and its consistent application throughout Germany will occur more frequently in the coming months. Legal uncertainties may arise from the considerable margin of discretion that is granted to the authorities in assessing the circumstances of each individual case. For example, the level of severity which is assigned to a particular violation is still subject to the authority’s judgement.

However, the more transparent calculation model may also have advantages for companies: their risk managers and data protection officers can now anticipate the amount of a potential fine much more precisely, although an exact calculation is not possible.

The GDPR generally does not provide for any reduction if a company has committed several violations. As a result, the supervisory authorities intend to asses each breach individually and to determine the final amount based on the combined value of the fines. This might initially suggest that fines will be exceedingly high. Nevertheless, there is also the possibility that the final amount calculated might be lower than the sum of all fines added together since individual circumstances can be considered.

What companies should take into consideration

The rule "better safe than sorry" is truer than ever. Companies should seize the opportunity to critically asses how they organize their data protection. The most effective way of avoiding millions of euros in fines is to have a well thought-out data protection system based on the requirements specified by the GDPR.

But even if an investigation into a data protection incident or data breach is already underway and the imposition of a fine is looming, there are still ways to reduce it. In particular, comprehensive and transparent cooperation and communication with the supervisory authorities should have a mitigating effect on the amount of the fine. If the determination of the fine according to the model leads to considerable financial disadvantages, e.g. if the fine based on annual turnover and the company’s profit are out of proportion, companies may take legal action against a fine. Since the model is not legally binding for the courts, they can determine the amount of the fine during the proceedings themselves and, if necessary, adjust the amount according to the circumstances.

Companies should also observe the execution of the new calculation concept at German level and the developments concerning a coordinated model at European level to be able to adjust their risk management accordingly.

Gerrit Feuerherdt
Associate
Köln

Ann Cathrin Müller
Wiss. Mitarbeiterin
Köln