Data protection deficits are becoming extremely expensive, especially for small holdings of global corporations in Germany. However, other companies should also take the latest publication of the Data Protection Conference of the Federal Government and the Federal states ("DSK") on the future assessment of fines as an opportunity to thoroughly examine their handling of personal data and to ensure data protection compliance.
Up to 4% of the worldwide annual turnover are threatened by companies for breaches of certain data protection regulations. This is a wide area for regulatory discretion. Almost 1.5 years after the GDPR, which created the basis for these sensitive fines, came into force, the DSK presented a concept on how the German data protection authorities should determine fines in the future (available at https://www.datenschutzkonferenz-online.de/media/ah/20191016).
DSK does not make it easy for itself to exercise its discretion. In future, the calculation of fines will be carried out in five steps:
- In the first stage, the company in question is categorized according to its annual turnover. Four categories (micro, small, medium and large enterprises) and further subcategories do exist. While a turnover of 700,000 EUR in category A.I represents the smallest annual turnover limit, companies with an annual turnover of more than 500 million EUR belong the highest turnover category.
- The mean value of the respective turnover category calculated on the second level is then broken down to daily rates in order to determine a basic value, which is then multiplied at level 4 by a factor (1 to 12) dependent on the severity of the facts. In the case of companies from groups that exceed the 500 million EUR turnover limit, the actual annual group turnover is used for the daily rate calculation.
- Finally, the fine thus determined is adjusted at level 5 on the basis of "perpetrator-related and other circumstances" which are not further defined.
Although the top data protectors may have followed the guidelines on fines of the German Federal Cartel Office (Bundeskartellamt – “BKartA”) and the European Commission in antitrust proceedings, they refrained from defining a factor, which reflects the extent of an infringement. While the BKartA and the European Commission's guidelines on fines provide for a calculation, which is strictly based on a fact-based annual turnover (i.e. the turnover specifically favoured by a cartel infringement), DSK's concept bases all further calculation on the total annual turnover of the company in question. Only the seriousness of the action in question and other circumstances taken into account as factors serve as a corrective.
The following example illustrates the striking differences between the calculation of fines for an antitrust infringement and the calculation of fines for breaches of data protection law now conceived:
- Antitrust Law: A subsidiary S, which is active in the production of printing machines (annual turnover: 100 million Euro) is part of a large conglomerate M (annual turnover: 200 billion EUR), which, beside S's activities, is not active on the market for printing machines. T enters into agreements with competitors that are contrary to antitrust law. The basis for assessment would be 100 million EUR.
- Data protection: S inadvertently discloses the personal data of its 150 employees to an online shop for advertising materials without the prior consent of the employees, who provide information about their union membership, among other things. The data is sent directly to the internet and leads to SPAM mails. The assessment basis here is now 200 billion EUR.
Which action is more reprehensible under regulatory law? Damage to the entire competitive structure with considerable disadvantages for competitors - or admittedly annoying but relatively easy to turn off SPAM mails for 150 employees? The striking difference to possible fines due to restrictions of competition, which can ruin entire companies, is difficult to understand.
DSK’s new concept is unlikely to last. However, it shows that the German data protection authorities are "slowly taking data protection seriously" and apparently willing to punish data protection violations much more severely in future than before.