There is no doubt that the General Data Protection Regulation (GDPR) was a tremendous step forward to a harmonized legal landscape for data privacy in the European Union (EU) and the European Economic Area (EEA). However, even two and a half years after the GDPR’s coming into force, DPAs across the EU member states are still debating some of its aspects for which they have not adopted a uniform approach. This is particularly true for GDPR fines imposed on data controllers for non-compliance with data privacy laws.
DPA Guidance on the Calculation of GDPR Fines
In March 2019, the Dutch DPA was probably the first authority in the EU to come up with a documented structure for how it was going to calculate GDPR fines for future cases of unlawful data processing and infringements of data privacy obligations by setting up four different categories of GDPR non-compliance (see our analysis here). The Conference of German Data Protection Authorities (Datenschutzkonferenz) introduced a different five-step structure. This structure begins with company size and average annual turnover, before taking the severity of the infringement into account, including mitigating factors, if any (see Concept Paper issued on October 14, 2019, in German).
Background of the Decision
Based on this new concept, German DPAs imposed a couple of noticeable fines on data controllers. For instance, the Federal Commissioner for Data Protection and Freedom of Information charged telecommunications service provider 1&1 Telekom GmbH (1&1) for inappropriate technical and organizational measures deployed in its service hotline call centers in the amount of EUR 9.55 million. In this case, a 1&1 call center agent released personal information (mobile phone number) to a calling person who falsely claimed to be the wife of one of 1&1's customers and later used the mobile phone number to stalk the customer. The only authentication factors asked for by the call center agent were the name and birthdate of the 1&1 customer in question.
Key Findings of the Court
Although the Regional Court of Bonn confirmed the Federal Commissioner's view that the processing of personal data was unlawful, it ruled a significant cut-back on the amount of the fine by reducing it to 0.9 million Euro, which is a reduction of approx. 90 percent. The Court took into consideration that the unlawful processing (releasing the mobile phone number) was related to a single event, which did not involve sensitive data or a high volume of data.
It is noteworthy that the Court ruled that GDPR fine determinations based purely on an enterprise’s annual turnover are not appropriate. However, the Court also found that an enterprise’s liability for GDPR violations does not require that a specific representative or manager of such enterprise committed the GDPR infringement. By doing so, the Court let GDPR rules prevail and decided to not apply basic principles of German law on administrative offences. The latter aspect is heavily disputed and was also discussed in a deviating decision of the Austrian Higher Administrative Court (case no. Ro 2019/04/0229).
While the full text of the Court's ruling is not yet available (see the Court's press release here, in German), and both, the Federal Commissioner and telecommunication service provider 1&1 still can appeal the ruling, it shows that GDPR fines are still under scrutiny, and a pan-European approach has not yet been achieved. For EU enterprises in particular, the ruling demonstrates that it is worth objecting to fines imposed by DPAs, since they may be inappropriate and legally questionable.
Authored by Dr. Christian Tinnefeld and Dr. Henrik Hanssen.