Data protection deficits are becoming extremely expensive, especially for small holdings of global corporations in Germany. However, other companies should also take the latest publication of the Data Protection Conference of the Federal Government and the Federal states ("DSK") on the future assessment of fines as an opportunity to thoroughly examine their handling of personal data and to ensure data protection compliance.
Up to 4% of the worldwide annual turnover are threatened by companies for breaches of certain data protection regulations. This is a wide area for regulatory discretion. Almost 1.5 years after the GDPR, which created the basis for these sensitive fines, came into force, the DSK presented a concept on how the German data protection authorities should determine fines in the future (available at https://www.datenschutzkonferenz-online.de/media/ah/20191016).
DSK does not make it easy for itself to exercise its discretion. In future, the calculation of fines will be carried out in five steps:
Although the top data protectors may have followed the guidelines on fines of the German Federal Cartel Office (Bundeskartellamt – “BKartA”) and the European Commission in antitrust proceedings, they refrained from defining a factor, which reflects the extent of an infringement. While the BKartA and the European Commission's guidelines on fines provide for a calculation, which is strictly based on a fact-based annual turnover (i.e. the turnover specifically favoured by a cartel infringement), DSK's concept bases all further calculation on the total annual turnover of the company in question. Only the seriousness of the action in question and other circumstances taken into account as factors serve as a corrective.
The following example illustrates the striking differences between the calculation of fines for an antitrust infringement and the calculation of fines for breaches of data protection law now conceived:
Which action is more reprehensible under regulatory law? Damage to the entire competitive structure with considerable disadvantages for competitors - or admittedly annoying but relatively easy to turn off SPAM mails for 150 employees? The striking difference to possible fines due to restrictions of competition, which can ruin entire companies, is difficult to understand.
DSK’s new concept is unlikely to last. However, it shows that the German data protection authorities are "slowly taking data protection seriously" and apparently willing to punish data protection violations much more severely in future than before.