EDPB Rules on Conflict Between Data Protection Authorities

Alec Burnside, Daniel Goldberg-Gradess, Jennifer McGrandle
Dechert LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Dechert LLP

The European Data Protection Board (“EDPB”) on June 15, 2022 issued a final decision in a rare exercise of its authority under Article 65 GDPR to resolve cross-border disputes between different data protection supervisory authorities. The decision led to an increase in the fine imposed on French hotel chain Accor S.A. from €100,000 to €600,000, after a multi-year deliberative process. The EDPB’s ruling provides valuable guidance for supervisory authorities on what elements they should take into account when calculating the level of fine in order to ensure that it is effective, proportionate and dissuasive as required under Article 83(1) GDPR.

The Decision

The case involved a draft decision by the Commission Nationale de l’Informatique et des Libertés (“CNIL”), the French supervisory authority, to issue a €100,000 fine against Accor, a multinational hospitality company based in France, which reported revenues of € 1.73 billion in the first half of 2022. The CNIL issued the decision as the lead supervisory authority (“LSA”) over Accor in response to eleven complaints received by various supervisory authorities between 2018 and 2019, alleging Accor prevented consumers from opting out of marketing messages and interfered with their right to access their personal data.

Article 60 GDPR provides that the LSA shall cooperate with other supervisory authorities concerned to endeavor to reach consensus as to application of the GDPR. The Polish supervisory authority (“PL SA”) raised an objection to the CNIL’s draft decision principally on the ground that the fine was too lenient given Accor's size and the seriousness of the data breaches (which the CNIL had described as “substantial”). PL SA argued that the fine would not be effective, proportionate and dissuasive as required by Article 83(1) GDPR.

The maximum fine that could have been imposed on Accor was €20 million, being 4% of its annual worldwide turnover. In making its decision, the CNIL took into account the following mitigating factors: the infringements had not been of a structural nature; following the CNIL’s investigation, Accor had taken measures to correct the breaches of the GDPR in question; and Accor had suffered a significant drop in its turnover between 2019-2020 due to the serious impact of the Covid-19 pandemic on the hospitality sector. Although the CNIL revised its draft decision to reflect some of the PL SA’s criticisms, it declined to increase the fine and referred the dispute to the EDPB.

In its binding decision, the EDPB stated that:

  • when issuing a decision under Article 65(6) GDPR, the CNIL should take into account the undertaking’s annual turnover corresponding to the financial year preceding the date of its final (rather than draft) decision, i.e., the turnover of Accor in 2021;
  • Accor’s turnover was relevant not only to the determination of the maximum fine but also to the calculation of the fine;
  • the CNIL should not have considered the drop in Accor’s turnover as a mitigating factor pursuant to Article 83(2)(k) as to do so, when it had also considered turnover within its assessment under Article 83(1), resulted in Accor’s adverse financial circumstances being counted twice;
  • without prejudice to the findings above, given the deliberately open-ended language of Article 83(1), the supervisory authority is left with a certain degree of flexibility as to the elements to be taken into account to ensure that the final amount of the fine complies with the principle of effectiveness, proportionality and dissuasiveness;
  • however, the mere finding that an undertaking is in an adverse financial situation would not automatically warrant a reduction in the amount of the fine when considering whether the level of fine was effective, proportionate and dissuasive.

In this case, the EDPB found that since the fine proposed by the CNIL would represent only 0.02% of the 2020 estimated turnover of Accor, that amount would qualify as negligible in the circumstances of the current case, in particular given that it was imposed for infringements that the CNIL considered to be “substantial.” Such a level of fine would not discourage Accor and other companies from committing similar “substantial” infringements. On that basis the CNIL was instructed to reassess the elements it relied upon to calculate the amount of the fine to ensure that it met the criterion of dissuasiveness under Article 83(1) GDPR, accounting in particular for Accor’s relevant turnover.

Following the EDPB’s decision, the CNIL issued a final decision on August 3, 2022, increasing the fine against Accor to €600,000. Even with this increase, the PL SA has expressed the view that the fine remains too low.

Key Takeaways

The EDPB’s consistency mechanism has been used in this instance to promote a consistent application of administrative fines, and its decision contains some useful guidance for supervisory authorities on their calculation. Following this decision, supervisory authorities are likely to be cautious about issuing lower fines as a result of organizations’ financial difficulties arising from the Covid-19 pandemic or otherwise. Supervisory authorities should also be mindful of the fact that if a fine is to be dissuasive, it must be set at a level which ensures that it has a genuinely deterrent effect not only on the data controller concerned but on all other data controllers in the relevant sector

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dechert LLP | Attorney Advertising

Written by:

Dechert LLP
Dechert LLP
Contact
more
less

Dechert LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide