Thought the Top 250 GDPR Fines Were High? The New EDPB Methodology May Make You Think Again
Since it started in May 2018, enforcement of the rules of the General Data Protection Regulation (GDPR) across the EU has revealed various national trends and differences in approach. Compare, for instance, the limited number of cases heard by the Data Protection Commission (DPC) in Ireland to the hundreds of cases handled by the Agencia Española de Protección de Datos (AEPD) in Spain. Or consider the large number of cases before the Belgian Data Protection Authority on election-related processing by natural persons. Yet one difference seems to dwarf all others: the variation in the amount of the fines imposed by authorities for alleged GDPR infringements.
This discrepancy has led the European Data Protection Board (EDPB) in May 2022 to publish new guidelines on the calculation of administrative fines under the GDPR. In these proposed guidelines, which were subject to public consultation, the EDPB set out a five-step methodology for calculating GDPR fines:
- Identifying the processing operations,
- Identifying the “starting amount” for further calculation of the fine,
- Evaluating aggravating and mitigating circumstances and their impact on the fine,
- Identifying the relevant legal maximum for each infringement, and
- Adjusting the fine where necessary from the perspective of effectiveness, dissuasiveness, and proportionality.
For the critical second step of the five-step fine assessment process, the EDPB has proposed a mathematical formula for calculating the “starting amount” for fines. The EDPB explicitly states, though, that “[t]hroughout all abovementioned steps, it must be borne in mind that the calculation of a fine is no mere mathematical exercise.” This formulaic approach in the EDPB’s approach to step 2 seems inherently contrary to that guidance, but at a minimum, while step 2 may be a mathematical exercise, the others should not be.
Whether you consider the EDPB’s step 2 formula (and the remainder of the guidelines) to be flawed or sound, just or inequitable, the very existence of a mathematical formula for this step 2 is remarkable considering its potential impact on future cases before authorities.
Why compare existing GDPR fines to the EDPB methodology, and how?
The unspoken aim of the EDPB methodology is to harmonise to a certain extent the approaches of all supervisory authorities within the EU (with also an effect on the broader European Economic Area). This may not result in uniform fines but may at least ensure that fines are all based on the same principles.
Because it is the result of discussions, perhaps even negotiations, among supervisory authorities, the EDPB methodology will invariably represent a change to the existing approach of each supervisory authority. It is therefore inevitable that some of the existing GDPR fines will differ from future fines imposed using the EDPB methodology once it is finalized. Moreover, while there is a mathematical component to the EDPB methodology, that aspect concerns only the “starting amount,” not the final penalty. Any comparison is, therefore, by definition, flawed.
Flawed, but not without merit. After all, the EDPB methodology creates three classes of infringements based on “seriousness,” each with its associated scale of fines: “Low” seriousness leads to a starting point of 0-10% of the “initial amount”; “Medium” leads to 10-20%; “High” is 20-100%. While the EDPB calls for this amount to be adjusted based on mitigating and aggravating circumstances as well as general concerns regarding effectiveness, dissuasiveness, and proportionality, such adjustment must also always be justified and proportionate.
Yet if a supervisory authority describes an infringement as “severe” and ends up imposing a fine that would fall squarely within the “Low” range under the EDPB methodology, the situation raises questions. Indeed, it seems fair to assume that no matter the mitigating circumstances, the supervisory authority would have imposed a higher fine if it had applied the EDPB methodology.
Conversely, if a supervisory authority imposes a fine that is higher even than the maximum for the “starting amount” according to the EDPB methodology, without highlighting any aggravating circumstances or describing the infringement as severe, an application of the EDPB methodology should lead to a lower fine.
With that in mind, we compared over 300 GDPR fines with the “starting amount” according to the EDPB methodology to determine to what extent these fines and the methodology appear aligned.
Which 300+ GDPR fines?
To prepare our analysis, we looked at the compilations of fines available at CMS.Law’s invaluable GDPR Enforcement Tracker and at noyb.eu’s GDPRHub and examined the relevant decisions (and reported various suggestions to our colleagues at CMS). We then looked at fines imposed on companies rather than public authorities and individuals, given the emphasis in the EDPB’s proposed methodology on annual global turnover. Indeed, the annual global turnover of an “undertaking” plays two separate roles in the EDPB’s methodology:
- First, in accordance with Article 83 of the GDPR, the turnover has an impact on the maximum amount of the fine (10 or 20 million EUR if the turnover is less than 500 million EUR; 2 or 4% of the turnover if the turnover is above 500 million EUR).
- Second, the maximum fine amount is multiplied by a multiplier, a parameter whose value depends on the turnover[1].
While some decisions explicitly mention the turnover[2], this is not always the case. In such situations, we looked for publicly available information on turnover, mainly through the financial statements published by the relevant company and websites dedicated to compiling corporate data.
Among fines above 40.000 EUR, we identified 257 fines imposed on companies whose turnover we were able to take into account. We examined an additional 50 fines that, although they were under 40.000 EUR, related to companies fined more than once.
The resulting fines examined include the following number, per country:
Country | No. of Fines Examined | Sum of Fines | Average Fine Amount |
---|---|---|---|
Austria | 3 | 19,500,000.00 € | 6,500,000.00 € |
Belgium | 11 | 1,500,000.00 € | 136,363.64 € |
Bulgaria | 1 | 511,000.00 € | 511,000.00 € |
Cyprus | 3 | 82,000.00 € | 27,333.33 € |
Denmark | 6 | 1,902,600.00 € | 317,100.00 € |
Estonia | 3 | 300,000.00 € | 100,000.00 € |
Finland | 6 | 992,000.00 € | 165,333.33 € |
France | 19 | 270,585,000.00 € | 14,241,315.79 € |
Germany | 12 | 51,305,115.00 € | 4,275,426.25 € |
Greece | 5 | 29,500,000.00 € | 5,900,000.00 € |
Hungary | 6 | 1,124,374.00 € | 187,395.67 € |
Ireland | 6 | 243,073,000.00 € | 40,512,166.67 € |
Italy | 28 | 133,409,096.00 € | 4,764,610.57 € |
Latvia | 1 | 65,000.00 € | 65,000.00 € |
Lithuania | 2 | 171,500.00 € | 85,750.00 € |
Luxembourg | 1 | 746,000,000.00 € | 746,000,000.00 € |
Norway | 5 | 7,117,600.00 € | 1,423,520.00 € |
Poland | 7 | 1,983,000.00 € | 283,285.71 € |
Romania | 17 | 507,050.00 € | 29,826.47 € |
Spain | 140 | 51,508,670.00 € | 367,919.07 € |
Sweeden | 9 | 14,169,500.00 € | 1,574,388.89 € |
The Netherlands | 9 | 4,345,000.00 € | 482,777.78 € |
United Kingdom | 7 | 53,427,000.00 € | 7,632,428.57 € |
Grand Total | 307 | 1,633,078,505.00 € | 5,319,473.96 € |
As the table above shows, seven fines by the United Kingdom’s ICO were examined, as these still pertain to similar rules. Excluding them from the analysis did not change any of our findings substantially.
How do they compare?
In absolute numbers and per country
In summary, 75.24% of the fines (i.e., 231 fines) were on the “Low” end of the scale of the EDPB methodology, in many cases despite references in the decision to the severity of the breach. This was, for instance, the case of the Irish fine against Whatsapp, despite the DPC stressing in its decision that “the Infringements (collectively and individually) are very serious, both in terms of the extremely large number of data subjects potentially affected and the severe consequences that flow from the failure to comply with the transparency requirements”. Similarly, in its decision against Enel Energia, the Italian Garante indicated that it took into account “la gravità delle violazioni” (the severity of the infringements) yet imposed a fine that would have been on the “Low” scale of the EDPB methodology.
The remainder is composed of “Medium” seriousness fines (15 fines – 4.89%) and “High” seriousness fines (61 fines – 19.87%). Of those 61 “High” fines, though, 30 (i.e., 9.77% of the total) were even higher than the “High” starting amount that would have applied under the EDPB methodology.
- Of those 30 “higher” fines, eight (over 26%) of them came from the Italian Garante, none of the other authorities coming close. Of the 28 Garante decisions we examined, over 28% imposed “higher” fines; in practice, the split between “Low” and “High” (including “higher” fines) at the Garante was almost 50-50, with only one fine was classified as “Medium.”
- The Spanish AEPD furnished the largest number of fines examined (140, or 45.60% in total). Of those decisions, the overwhelming majority (92.14%, or 129 fines) would have been classified as “Low” fines.
- The French CNIL had a significant percentage of “Low” fines (68.42% – 13 fines), the remainder included one “Medium” fine and 5 “High” ones (including 2 “higher” fines).
- Other countries with over 50% of fines examined being classified as “Low” include Austria (100%), Belgium (63.64%), Cyprus (66.67%), Germany (75%), Greece (60%), Ireland (83.33%), the Netherlands (77.78%), Norway (80%), Poland (57.14%), Romania (100%), and Sweeden (55.56%).
In combination with the various references to the severity of infringements in the decisions examined, these findings suggest that the EDPB methodology will lead to an increase in the level of fines in many jurisdictions if it becomes applicable.
Per turnover category
Looking at the turnover of the companies fined, 217 of the fines examined related to companies with a turnover above 250 million EUR. Among those 217 fines, 96.77% (210) would have been on the “Low” scale of the EDPB methodology, 2.30% (5) would have been “Medium,” and 0.92% (2) would have been “High.”
Had the EDPB methodology been applicable, though, it is extremely unlikely that such a significant percentage (96.77%) would have imposed “Low” fines in situations in which aggravating factors were brought up by the supervisory authority. In other words, it seems likely that the EDPB methodology would have led to higher fines for companies with a turnover above 250 million EUR.
For a revenue between 50 million EUR and 250 million EUR, the result is less skewed: of the 30 fines examined, 60% (18) would have been “Low,” 10% (3) would have been “Medium,” and 30% (9) would have been “High.” Moving to firms with under 50 million EUR in revenue, the threshold for “small and medium-sized enterprises” (SMEs), we observe a reverse trend: of the 60 fines examined, 83.33% (50) would have been classified as “High,” 11.67% (7) “Medium,” and 5% (3) “Low.” Put differently, it is possible that the EDPB methodology would have led to lower fines in practice for such SMEs had it been applicable. A caveat is that many of the fines under 40.000 EUR may concern SMEs, so the proportion of “High” fines over all GDPR fines for SMEs may be lower.
DeFine, a GDPR fine calculator to help understand the EDPB methodology
The above comparison highlights the gap between current practice by supervisory authorities and “step 2” of the methodology proposed by the EDPB. If it were to apply tomorrow, companies with more than 250 million EUR in turnover would likely face higher fines for GDPR infringements.
In order to help companies understand how this methodology works, and what it might mean for them should the formula remain unchanged, we have built DeFine, a free GDPR fine calculator available here that calculates the “starting amount” for fines under that step 2 of the EDPB’s methodology.
Because authorities would still have significant leeway in determining the final amount based on a range of factors, the result of the calculation is not final – but at least DeFine removes part of the broad uncertainty that exists today.
If you have any additional questions regarding the EDPB methodology, DeFine, or EU data protection compliance more generally, reach out to Peter Craddock or your usual contact at Keller and Heckman LLP.
[1] By way of an illustration, that multiplier has a value of 0.02 – i.e., 2% – for turnover between 10 and 50 million EUR, and 0.2 – i.e., 20% – for turnover between 100 and 250 million EUR.
[2] For instance, some of the decisions of the Belgian, French, Greek, Italian, Polish, Spanish, and Swedish authorities explicitly include the turnover of the relevant “undertaking”.