The Conference of the independent Data Protection Authorities of Germany (Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder; DSK) published its generally applicable principles on imposing GDPR fines on companies. By publishing its concept, the DSK follows the Dutsch DPA (Autoriteit Persoonsgegevens), which as a first authority within the EU, published its own policy on imposing fines in March, 2019. However, DSK's methodology is more complex and seems to result in much higher fines.

Why is a generally applicable concept regarding the application of fines necessary?

One of the driving forces behind having the data protection rules in the form of a regulation within the European Union was "to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union" (Preamble (10) of the GDPR). The consistent protection of personal data depends on the fact whether the application of the rules is equivalent in all Member States. The unified application of the GDPR shall also mean that the fines are imposed by the DPAs on the basis of a same approach. To help the DPAs in applying the provisions in connection with fines consistently, Working Party 29 issued guidelines on setting the administrative fines under the GDPR and the European Data Protection Board endorsed the application of the guidelines of WP29. However, such guidelines give only some help in the interpretation of the elements in Article 83 (2) of the GDPR but there is no transparent and generally applicable method of calculating the fines within the frameworks set out by the GDPR (i.e. the question regarding the calculation of the amount of the fine in a consistent way regarding similar breaches of data protection law remained unanswered).

In the lack of EU-wide concept of calculating GDPR-fines, some of the authorities took the lead and started to set the rules for their jurisdiction. This could be particularly important in Germany, since several data protection authorities work there independently, therefore creating a uniform interpretation is crucial but can be a significant challenge even at national (federal) level. It's worh noting, however, that the DSK's concept expressly states that the concept will cease to apply if the European Data Protection Board issues its EU-wide policy on calculating the fines.

How does the fining policy of the DSK work?

The purpose of the concept is to ensure that fines imposed for data protection breaches are effective, proportionate and dissuasive. The concept applies only to undertakings and not to associations or individuals acting outside of their economic activity. The concept defines a complex, 5-step model for calculating the fines:

1. undertakings are categoriesed by their annual revenue (i.e. on the basis of the total worldwide annual turnover of the preceding financial year),
2. the average annual turnover is calculated in each category,
3. a base amount of fine ("daily rate") is claculated (the avarage annual turnover is divided by 360),
4. this base amount can be increased by an appropriate multiplier according to the gravity of the violation of the data protection rules (subject to the criteria set out in Article 83 of the GDPR),
5. the above amount can be adjusted in the light of the circumstances of the given case (i.e. by applying mitigating and aggravating circumstances at the discretion of the authority).

On the basis of the above, the first four steps essentially provide a stable framework for the imposition of fines. As a result of the first three steps, there is a constant base amount that serves as the basis of determining a "fine corridor" in step 4 that reflects to the gravity of the violation. The last (fifth) step allows some space for corrections within the "fine corridor" and the authority can make sure that the fine to be imposed meets the criteria of being effective, proportionate and dissuasive and it is within the limits of the GDPR.

What can we expect on the basis of the new concept?

The application of the concept can create a more transparent environment for businesses, but it can also induce a significant increase in the amount of fines compared to the previous practice. It's worth noting that the German DPAs imposed a total amount of fines of EUR 485,000 in 81 cases until May 2019. The Berlin DPA stated already in August that it intends to apply much higher fines (and it imposed in one case a total fine amount of EUR 200,000, that was, compared to previous German fines, a much higher fine). Under this new approach, the increasing amount of fines in Germany can have the effect on the amount of fines in other Member States, i.e. a general increase in fines can be predcited.

The question is whether the German and Dutch guidelines are followed by the publication of further national policies on calculating fines and whether the European Data Protection Board adopts guidelines that could be applied uniformly across the EU instead of different calculation methods at national level. However, the unification in this area can be a significant challenge, since a system that does not take into account differences between Member States properly can have far-reaching negative effects, even beyond data protection.